Corgea LogoCorgea Security Hub

CWE-499: Serializable Class Containing Sensitive Data

Learn about CWE-499 (Serializable Class Containing Sensitive Data), its security impact, exploitation methods, and prevention guidelines.

What is Serializable Class Containing Sensitive Data?

• Overview: Serializable Class Containing Sensitive Data refers to a vulnerability where a class containing sensitive information does not explicitly deny serialization, allowing its data to be accessed and potentially misused by other classes.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by creating or using a class that serializes the target class, thereby accessing its sensitive data.
  • Common attack patterns include exploiting known serialization mechanisms or crafting custom serializers to extract data.

• Security Impact:

  • Direct consequences of successful exploitation include unauthorized access to sensitive information such as passwords or personal data.
  • Potential cascading effects include further data breaches, identity theft, or system compromise.
  • Business impact can involve legal penalties, brand damage, and loss of customer trust.

• Prevention Guidelines:

  • Specific code-level fixes include marking sensitive fields as transient or implementing writeObject and readObject methods to control serialization.
  • Security best practices involve reviewing code for classes containing sensitive data and ensuring they explicitly prevent serialization.
  • Recommended tools and frameworks include static analysis tools that check for serialization vulnerabilities and libraries that enforce secure serialization practices.

Corgea can automatically detect and fix Serializable Class Containing Sensitive Data in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: High

Affected Languages: Java

Affected Technologies: Not specified

Vulnerable Code Example

import java.io.Serializable;

/**
 * Vulnerable class because it implements Serializable without protecting sensitive data.
 */
public class UserCredentials implements Serializable { // {3}
    private String username;
    private String password; // {5}

    public UserCredentials(String username, String password) {
        this.username = username;
        this.password = password;
    }

    // Getters and setters...
}

Explanation:

  • The UserCredentials class implements Serializable and contains sensitive data (password) which can be serialized and potentially exposed. Serialization of sensitive data without protection can lead to unauthorized access if the serialized data is intercepted or improperly accessed.

How to fix Serializable Class Containing Sensitive Data?

To fix this vulnerability, you should prevent serialization of sensitive data. This can be achieved by marking sensitive fields as transient, which ensures that they are not serialized. Additionally, providing custom serialization methods (writeObject and readObject) allows you to control the serialization and deserialization process, ensuring sensitive data is handled securely.

Best Practices:

  • Mark sensitive fields as transient to prevent them from being serialized.
  • Implement custom writeObject and readObject methods to handle sensitive data securely.
  • Use encryption or other security mechanisms if you must serialize sensitive information.

Fixed Code Example

import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.IOException;
import java.io.Serializable;

/**
 * Fixed class that securely handles sensitive data by preventing its serialization.
 */
public class SecureUserCredentials implements Serializable { // {3}
    private static final long serialVersionUID = 1L;
    private String username;
    private transient String password; // Prevents serialization of sensitive data {6}

    public SecureUserCredentials(String username, String password) {
        this.username = username;
        this.password = password;
    }

    // Custom serialization method
    private void writeObject(ObjectOutputStream oos) throws IOException { // {10}
        oos.defaultWriteObject(); // Serialize non-sensitive data
        // Here you could add logic to encrypt the password before writing
    }

    // Custom deserialization method
    private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException { // {16}
        ois.defaultReadObject(); // Deserialize non-sensitive data
        // Here you could add logic to decrypt the password after reading
    }

    // Getters and setters...
}

Explanation:

  • Line 6: The password field is marked as transient, preventing it from being serialized. This ensures that sensitive data is not inadvertently exposed through serialization.
  • Lines 10-22: Custom writeObject and readObject methods are implemented, allowing for controlled serialization. These methods provide an opportunity to encrypt/decrypt sensitive data, enhancing security. This approach ensures that any sensitive data that must be serialized is protected during the process.

By ensuring that sensitive data is not serialized or is handled securely during serialization, we protect it from unauthorized access.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-499: Serializable Class Containing Sensitive Data and get remediation guidance

Start for free and no credit card needed.